Hackers are changing tactics and moving to long-term system access - CERT-UA report
Kyiv • UNN
CERT-UA notes hackers abandoning quick thefts in favor of entrenching themselves in networks. Attackers use zero-click vulnerabilities and personal emails.
The National Cyber Incident, Cyberattack, and Cyber Threat Response Team CERT-UA recorded a change in the tactics of hacker groups in the second half of 2025. According to the new analytical report "Cyber Threats: Ukraine," attackers are gradually abandoning quick one-time data theft in favor of obtaining long-term unauthorized access to systems. This was reported by the Government Quarter, writes UNN.
Abandonment of "Steal & Go" and return to old victims
In the previous half-year, hackers actively used the "Steal & Go" tactic, which involved quick data theft without attempts to gain a foothold in the system. However, they are now increasingly focusing on maintaining the ability to re-enter the compromised infrastructure.
In addition, there are cases of hackers returning to previously compromised systems some time after the first attack. Attackers check whether vulnerabilities remain in the systems, or whether the passwords available to the attackers are still relevant. Experts warn: if, during incident response, only system operation is restored, but the root causes of the breach are not eliminated, the risk of a repeated attack significantly increases.
Zero-click vulnerabilities and bypassing corporate protection
To penetrate IT infrastructures, the enemy uses new methods:
- attacks without victim involvement: the UAC-0250 group carried out attacks using zero-click vulnerabilities in the Zimbra mail server. Their exploitation allowed hackers to covertly steal correspondence and backup codes for multi-factor authentication without any user interaction;
- strike at personal emails: to bypass the cybersecurity tools implemented on corporate mail servers, the UAC-0246 group began sending malicious emails directly to citizens' personal inboxes.
Experts emphasize: basic restoration of operations after a cyberattack is no longer enough. Without a complete and thorough cleaning of systems, as well as the implementation of strict preventive security measures, institutions remain open to repeated, often more destructive, attacks.